A CISO usually has about 5-8 minutes in a board room to communicate risk in business terms. Not a lot of time, so CISOs must ensure they use their time wisely.
This is equally important when communicating risk to fellow co-workers. The task of getting everyone on the same page can be daunting and many CISOs will find the following situations very familiar when trying to communicate risk:
- Unable to schedule meetings with business units to discuss security initiatives
- Publish weekly security reports for months to find out that nobody has been reading them
- Present security awareness materials to a group only to receive blank stares instead of meaningful questions
Why is it so hard to hold colleagues’ attention when the information is so important? Let’s examine the content of the weekly security reports or the oral information you are presenting during a meeting. Are you trying to share too much – either overwhelming your audience or putting them to sleep? It probably isn’t that the content is boring or too difficult to understand – you just aren’t communicating it effectively. The first step in effective communication, particularly as it relates to security and risk management metrics, is to ask yourself, “What do I want to communicate?”
If you have a message you want to communicate, then you can gather and share metrics that support your message. Once you have that data, package the information in a coherent message that is ready for consumption by your audience. A tip that I have found useful is to make the security metrics part of the work fabric by incorporating them into office posters, screen savers and handouts. Don’t just dust off the metrics for meetings – keep them front and center so everyone can see them, and is reminded of them daily.
It is also important to ensure your message is consistent and communicate that same message to all audiences – whether it is board members or a business unit. This eliminates confusion and shows that CISOs and their teams are organized and well- aligned. You should also be sure to follow company culture and use company- approved communications tools and formats. Security communication should look no different than regular company communication. This may all sound easy, but it might not be so when it comes time to put into practice. This is mainly due to the various roles and hierarchies in an organization – what may be appropriate to share with one group, might not be for another.
As a CISO communicating risk and defining a communications strategy, you must remember to:
- Learn about your audience and tailor your message accordingly
- Share information
- Meet 1:1 or in a committee setting
- Don’t cry wolf or communicate FUD
- Keep guidance clear and actionable
- Don’t say no; figure out a way to enable the company to conduct its business
- Deliver on your commitments
In meeting with our customers, they have let us know that using dashboards has also made it easier for them to communicate risk to board members and fellow employees. Customizable reports have enabled our customers to drive action to reduce risks.
By taking the time to define an effective communication strategy that is tailored specifically to your business, you will find that your board members and colleagues will take interest and action to help prevent and mitigate risk.Tags: compliance, IT GRC, IT risk management, security metrics